* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Period of the power generator and small values of the Carmichael
Survey
Document related concepts
Mathematical proof wikipedia , lookup
Georg Cantor's first set theory article wikipedia , lookup
Big O notation wikipedia , lookup
Vincent's theorem wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Fundamental theorem of calculus wikipedia , lookup
Collatz conjecture wikipedia , lookup
Fermat's Last Theorem wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Quadratic reciprocity wikipedia , lookup
Transcript
MATHEMATICS OF COMPUTATION Volume 70, Number 236, Pages 1591–1605 S 0025-5718(00)01282-5 Article electronically published on July 13, 2000 PERIOD OF THE POWER GENERATOR AND SMALL VALUES OF CARMICHAEL’S FUNCTION JOHN B. FRIEDLANDER, CARL POMERANCE, AND IGOR E. SHPARLINSKI Abstract. Consider the pseudorandom number generator un ≡ uen−1 (mod m), 0 ≤ un ≤ m − 1, n = 1, 2, . . . , where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (un ) exceeds m3/4+ε , then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of ϑ, e, the period of the power generator exceeds (pl)1−ε . And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to rulingout the cycling attack on the RSA cryptosystem and to so-called time-release crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any ∆ ≥ (log log N )3 , we have λ(m) ≥ N exp(−∆) for all integers m with 1 ≤ m ≤ N , apart from at most N exp −0.69 (∆ log ∆)1/3 exceptions. 1. Introduction For an integer n ≥ 1 we define the Carmichael function λ(n) as the largest possible order of elements of the unit group in the residue ring modulo n. More explicitly, for a prime power pk we define k−1 p (p − 1), if p ≥ 3 or k ≤ 2; k λ p = 2k−2 , if p = 2 and k ≥ 3; and finally, λ(n) = lcm λ(pk11 ), . . . , λ pkνν ) , where n = pk11 · · · pkνν is the prime number factorization of n. Received by the editor September 8, 1999. 2000 Mathematics Subject Classification. Primary 11B50, 11N56, 11T71; Secondary 11Y55, 94A60. Key words and phrases. Carmichael’s function, RSA generator, Blum–Blum–Shub generator. The first author was supported in part by NSERC grant A5123 and by an NEC grant to the Institute for Advanced Study. The third author was supported in part by ARC grant A69700294. 1591 c 2000 American Mathematical Society 1592 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI Various upper and lower bounds for λ(n) have been obtained in [9]. In particular, it follows from Theorem 2 of [9] that for all except o(N ) positive integers n ≤ N λ(n) = n exp (− log log n log log log n − C log log n + o(log log n)) for some explicitly given constant C. Here we obtain a modification of this result. We are interested in the lower bound implicit in the above result but, with an application in mind, we wish to be able to say a little more about the size of the exceptional set. In order to do this we need to allow smaller values of λ(n) but then can obtain an explicit and more precise upper bound on the cardinality of the set of positive integers n ≤ N for which that bound is false. We apply this estimate to study the largest possible period of the power generator (1) un ≡ uen−1 (mod m), 0 ≤ un ≤ m − 1, n = 1, 2, . . . , with the initial value u0 = ϑ (an integer coprime to m) and exponent e (an integer at least 2). In the two special cases gcd(e, ϕ(m)) = 1, where ϕ(m) is the Euler function, and e = 2, this sequence is known as the RSA generator and as the Blum–Blum–Shub generator , respectively. For integers g and M ≥ 2 with gcd(g, M ) = 1, denote by ordM g the multiplicative order of g modulo M . It is easy to see that if gcd(e, λ(m)) = 1, then the sequence (1) is purely periodic with some period t. Moreover, this period is given by t = ords e, where s = ordm ϑ, and the largest possible value of t, over all possible choices of ϑ and e, is λ(λ(m)). This generator has numerous cryptographic applications and has been extensively studied in the literature, see [4, 5, 7, 8, 10, 11, 12, 13, 15, 17, 19, 25, 26]. In particular, it is quite important to provide sequences of large period. Because of the aforementioned cryptographic applications this generator is mainly studied in the case m = pl, where p and l are two distinct primes. In this case, the results of [12] imply the uniformity of distribution of this generator provided the period t ≥ m3/4+ε . Moreover, the result becomes stronger as t gets closer to m. Nevertheless, despite quite active studies of this generator, no lower bounds for the values of its largest period λ(λ(m)) are known. Here we apply the abovementioned lower bound for λ(n) to show that, for almost all pairs of primes p, l, λ(λ(pl)) is nearly of order pl. We then use it to prove that for almost all inputs of pairs of primes, initial values ϑ, and exponents e, the period of the corresponding sequence (un ) given by (1) is close to its largest possible value. In particular, for almost all values of the above parameters it exceeds m1−ε for any ε and sufficiently large m. We may remark that if one is willing to request large values of λ(λ(pl)) for many pairs but not for almost all, then one can get very large values indeed. If one is willing also to accept heuristic results, then, as a simple consequence of the well known conjecture about prime k-tuplets (see [3]), there are in every interval (x, 2x) with large x, at least c1 x/(log x)3 primes p such that q = (p−1)/2 and r = (q −1)/2 are both also prime. That is, we request that r, q = 2r + 1, and p = 4r + 3 are prime. It follows on pairing such primes p that there are at least c2 Q2 /(log Q)6 pairs of primes (p, l) with Q/2 < p < l ≤ Q for which λ(λ(pl)) = pl/8 + O (Q). Here the constant 1/8 is best possible. As we shall see below it is possible using sieve methods to unconditionally prove a result of the same strength (and even for a larger number of pairs (p, l)) apart from that constant. PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1593 Although studying the power generator (1) has been our primary motivation, we mention two further applications of our results. The first of these is the conclusion that the so-called cycling attack on the RSA cryptosystem has a negligible chance to be efficient. Despite the common belief that this should be the case, no rigorous proof of the statement has been given. The attack is based on the observation that the power generator (1) can be considered as a sequence of consecutive RSA encryptions starting with the “message” u0 . Thus, if the period is t, then after t − 1 iterations of the encrypted message u1 we obtain ut ≡ u0 (mod m), and if t is small, then this is an efficient procedure. Even more, if t is small, then, because it is very likely that the periods tp and tl of this sequence modulo p and l are distinct, after at most min{tp , tl } − 1 iterations this attack may produce a complete factorization of m. This attack, as well as various ways of protecting against it, have been discussed in the literature, see [5, 18, 22, 24]. In particular, the so-called safe primes have been introduced. Rivest and Silverman [24] present arguments which show that randomly selected primes p and l are likely to be strong against this attack. Our results imply a more precise statement which basically means that for a random selection of parameters the expected complexity of this attack is about m1/2 , that is, of the same magnitude as the trial-division factorization algorithm. Indeed, obviously tp (l − 1) ≥ t and tl (p − 1) ≥ t; thus when t is of order m and p ∼ l ∼ m1/2 we obtain that min{tp , tl } is of order m1/2 . Our second application is related to the recently introduced notion of timedrelease crypto, see [23]. For example, for the construction of [23] it is essential to guarantee that the power generator (1) has a large period; see the discussion at the end of Section 2.1 of [23]. Our results provide rigorous support for this assumption. Throughout the paper the implied constants in symbols “O”, “” and “” are absolute. (The notations U V and V U are equivalent to U = O(V ) for positive functions U, V .) We use log x to denote the natural logarithm of x and we let P denote the set of primes. Acknowledgement. We thank Ron Rivest for his interest and for helpful references. 2. Preparations Here we collect some known number-theoretic estimates, which we use in the sequel. First of all we recall that k (2) , ϕ(k) log log(k + 2) where ϕ(k) is the Euler function of k ≥ 1; see Theorem 5.1 of Chapter 1 of [21]. In estimating various sums over primes, we use that the nth prime pn satisfies n log n pn n log n, for n ≥ 2. Let π(X; k, a) denote the number of primes p ≤ X with p ≡ a (mod k). We need the following relaxed version of the Brun–Titchmarsh theorem. For any integers k, a ≥ 1 with 1 ≤ k ≤ X 1/2 and gcd(a, k) = 1, the bound X (3) π(X; k, a) ϕ(k) log X holds; see Theorem 4.1 of Chapter 2 of [21]. 1594 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI We need the following estimate. For any integers X ≥ 3 and k ≥ log X, X log k 1 (4) . q ϕ(k) q∈ P, q≤X q≡1 (mod k) Indeed, for k ≥ X 1/2 we have X 1 ≤ q q∈ P, q≤X q≡1 (mod k) X k≤n≤X n≡1 (mod k) log X log k 1 . n k k For k < X 1/2 we use the same bound, but also the Brun–Titchmarsh estimate (3), to deduce that X q∈ P, q≤X q≡1 (mod k) 1 q dlog Xe X s=dlog ke log k π(exp(s); k, 1) + exp(s) k dlog Xe X s=b2 log kc π(exp(s); k, 1) exp(s) dlog Xe X 1 1 log k log log X log k log k + + . k ϕ(k) s=1 s k ϕ(k) ϕ(k) We shall also require a bound for smaller k. For any fixed α > 0, there exists X0 (α) such that the following holds. For all X ≥ X0 (α) and all k ≤ log X, X (5) q∈ P, X α ≤q≤X q≡1 (mod k) log(1/α) 1 . q ϕ(k) This follows from the above Brun–Titchmarsh bound (3) by partial summation. Let τ (k) denote the number of positive integer divisors of an integer k ≥ 1. The following bounds are well known and hold for any X ≥ 2: X X 3 (6) τ (k) X log X and τ 2 (k) X (log X) ; k≤X k≤X see Theorems 5.3 and 5.4 of Chapter 1 of [21]. Finally, we recall that an integer k ≥ 1 is called Y -smooth if it is divisible only by primes p ≤ Y . Let Ψ(X, Y ) denote the total number of Y -smooth numbers k ≤ X. The following estimate is a substantially relaxed and simplified version of (for example) Corollary 1.3 of [16], see also [6]. Let X = Y u ; then for any u → ∞ with u ≤ Y 1/2 we have the bound (7) Ψ(X, Y ) Xu−u+o(u) . We remark that all the above results are presented in very elementary and simplified forms which nevertheless are sufficient to prove our main results. Much stronger versions are known. For example, a much more precise version of (4) is given in [20]. Unfortunately these more sophisticated results do not seem to improve our estimates. We need the following simple statement about the proportion of numbers whose multiplicative order modulo M ≥ 2 is much smaller than λ(M ). Some results of this kind have been known [5] but they apply only to special moduli M . PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1595 Lemma 1. Let M be a positive integer and j a divisor of λ(M ). Let Nj (M ) be the number of integers g with 1 ≤ g ≤ M , gcd(g, M ) = 1 and ordM g dividing λ(M )/j. Then Nj (M ) ≤ ϕ(M )/j. Moreover, for any real K ≥ 1 the number SK (M ) of integers g, 1 ≤ g ≤ M , with gcd(g, M ) = 1 and ordM g ≤ λ(M )/K satisfies SK (M ) ≤ ϕ(M )τ (λ(M ))/K. Proof. Let mν 1 M = pm 1 . . . pν and λ(M ) = q1l1 . . . qµlµ be the prime number factorizations of M and λ(M ). For a divisor j of λ(M ), let j j = q1j1 · · · qµµ be its prime factorization, where each exponent jt satisfies 0 ≤ jt ≤ lt . i in the prime factorization of M , let di be the product of those qtjt For each pm i in the prime factorization of j for which qtlt (in the prime factorization of λ(M )) jt jt i divides λ(pm i ). Note that for each qt there is at least one di divisible by qt , so that j|d1 · · · dν . i we have that g is For ordM g to divide λ(M )/j, it is necessary that for each pm i mi i . The number of residues g modulo p which are coprime a di -power modulo pm i i i )/d . (It is equal to this bound except to pi and are a di -power is at most ϕ(pm i i when di = 2s , s ≥ 1, pi = 2, mi ≥ 3, in which case it is half of this bound.) Thus, by the Chinese remainder theorem, we have Nj (M ) ≤ ϕ(M )/d1 · · · dν ≤ ϕ(M )/j, as required. The second statement follows from the first simply by summing over j|λ(M ), j ≥ K (certainly this last part could be sharpened). We also need the following elementary statement. Lemma 2. Assume d ≥ 1 is a divisor of an integer n > 1. Then for any integer g with gcd(g, n) = 1 we have that ϕ(d)/ordd g divides ϕ(n)/ordn g. We also have ϕ(d)/λ(d) divides ϕ(n)/λ(n) and, as a consequence, λ(n) λ(d) ≥ . d n ∗ ∗ Proof. The natural projection of multiplicative groups (Z/nZ) → (Z/dZ) gives rise to the projection ∗ ∗ (Z/nZ) /hgi → (Z/dZ) /hgi, and so ϕ(d)/ordd g divides ϕ(n)/ordn g as claimed. Next, taking any g satisfying ordn g = λ(n), we deduce that, for this g, ϕ(d)/ordd g divides ϕ(n)/λ(n). But since ϕ(d)/λ(d) divides ϕ(d)/ordd g, the second statement follows. Finally, using the inequality d/ϕ(d) ≤ n/ϕ(n), we obtain the third statement from the second one. As we mentioned above, the largest possible period for the power generator given by (1) for a given modulus m is λ(λ(m)). The next result shows that many pairs ϑ, e lead to a period that is not much smaller than the maximum. 1596 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI Lemma 3. For any positive integer m and any numbers K1 , K2 ≥ 1, let W denote the number of pairs of integers ϑ, e with 1 ≤ ϑ ≤ m, 1 ≤ e ≤ λ(m) and gcd(ϑ, m) = gcd(e, λ(m)) = 1, such that the period of the power generator given by (1) is at most λ(λ(m))/K1 K2 . Then τ (λ(m)) τ (λ(λ(m))) + W ≤ ϕ(m)ϕ(λ(m)) . K1 K2 Proof. We apply Lemma 1 first with M = m and K = K1 . So the number of values of ϑ in [1, m] with s := ordm ϑ > λ(m)/K1 is at least ϕ(m)(1 − τ (λ(m))/K1 ). For each such ϑ we again apply Lemma 1 now with M = s and K = K2 . We deduce that the number of choices for e in [1, s] with ords e > λ(s)/K2 is at least ϕ(s)(1 − τ (λ(s))/K2 ). Thus, there are at least ϕ(λ(m))(1 − τ (λ(s))/K2 ) choices of e ∈ [1, λ(m)] that are coprime to λ(m) and such that ords e > λ(s)/K2 . Note that Lemma 2 implies that if ϑ, e are chosen as above, then the period ords e of the power generator satisfies ords e > λ(s) λ(λ(m))s λ(λ(m))λ(m) λ(λ(m)) ≥ > = . K2 λ(m)K2 λ(m)K1 K2 K1 K2 Since τ (λ(s)) ≤ τ (λ(λ(m))), the result follows. Using the well-known bound τ (k) ≤ k o(1) (see Theorem 5.2 of Chapter 1 of [21]), we can obtain the following corollary, which is possibly useful if λ(λ(m)) is not too small in comparison to λ(m): Corollary 4. Let ε > 0 be arbitrary and let the integer m be sufficiently large depending on the choice of ε. The number of pairs of integers ϑ, e in the range 1 ≤ ϑ ≤ m, 1 ≤ e ≤ λ(m) with gcd(ϑ, m) = gcd(e, λ(m)) = 1, and such that the period t of the power generator given by (1) satisfies t ≤ λ(λ(m))/λ(m)ε is at most ϕ(m)ϕ(λ(m))/λ(λ(m))ε/3 . 3. Lower bounds for the Carmichael function 3 Theorem 5. For sufficiently large numbers N and for ∆ ≥ (log log N ) , the number of positive integers n ≤ N with λ(n) ≤ n exp (−∆) 1/3 . is at most N exp −0.69 (∆ log ∆) Proof. Fix ∆ ≥ (log log N )3 and let us define K from the equation (log K)3 = ∆ − ∆1/2 ; log log K 1/3 α(N ) for some . Note that K ≥ (log N ) thus K = exp 3−1/3 + o(1) (∆ log ∆) α(N ) → ∞ as N → ∞. Let S1 denote the set of n ≤ N with p2 |ϕ(n) for some prime p > K. There are four possibilities for n ∈ S1 . • There exists a prime p > K with p3 |n. There are at most X 1 X N N K −2 ≤N 3 3 p k 1/3 K≤p≤N K≤k≤N PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1597 such n ≤ N . Here, and in a number of places below, we are a little inefficient by not saving all possible logarithmic factors. • There exists a prime p > K with p2 |n and also there exists a prime q|n with q ≡ 1 (mod p). From (4) and partial summation we derive that the number of such n ≤ N is at most X X log p X N N K −2 . N 2 3 p q p 2 1/3 K≤p≤N q∈ P, p<q≤N/p q≡1 (mod p) K≤p≤N • There exists a prime p > K and there exists a prime q|n with q ≡ 1 (mod p2 ). As before we see that the number of such n ≤ N is bounded by X log p N K −1 . N 2 p 1/3 K≤p≤N • There exists a prime p > K and there exist two distinct primes q1 q2 |n with q1 ≡ q2 ≡ 1 (mod p). In this, the most frequently occurring case, we see that the number of such n ≤ N is majorized by X N 2 K≤p≤N 1/3 (log p) N K −1 log K. p2 So the cardinality of S1 satisfies | S1 | N K −1 log K ≤ N K −1+o(1) . Put log K and L = Kv. v= log log K Denote by Q the set of primes p ≤ N such that the contribution to p − 1 from primes q < K is at least L. Let L denote the set of K-smooth integers k with N ≥ k ≥ L. Then, from (4) we see that X X log k X X 1 1 ≤ . p p ϕ(k) p∈ Q k∈ L p≡1 p≤N (mod k) k∈ L For the last sum, using (2) we derive X log k ϕ(k) k∈ L dlog N e X s=dlog Le s log s Ψ(exp(s), K). exp(s) It is easy to verify that if for dlog Le ≤ s ≤ dlog N e we define u by the equation exp(s) = K u , then v ≤ u ≤ log N + 1 ≤ K 1/2 , so the bound (7) applies. Therefore X 1 p dlog N e ≤ v −v+o(v) p∈ Q X s log s s=dlog Le ≤ v −v+o(v) (log N ) log log N ≤ K −1+o(1) . 2 Denote by S2 the set of n ≤ N which are divisible by a prime from Q. Then X N X 1 ≤ N K −1+o(1) . ≤N | S2 | ≤ p p p∈ Q p∈ Q 1598 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI Similarly, the cardinality of the set S3 of n ≤ N , such that the contribution to n itself from primes q < K is at least L, satisfies X N X 1 N K −1+o(1) . ≤N | S3 | ≤ k k k∈ L k∈ L Let ω(n) denote the number of distinct prime divisors of an integer n ≥ 1. Denote by S4 the set of n ≤ N with ω(n) ≥ log K − 1. Because, for every n ∈ S4 , τ (n) ≥ 2ω(n) ≥ 12 K log 2 > K 1/2 , we derive from the second part of (6) that X τ 2 (n) N K −1+o(1) . | S4 | ≤ K −1 n≤N Finally, we define the set N = {N K −1 ≤ n ≤ N }\ ( S1 ∪ S2 ∪ S3 ∪ S4 ) . Combining the above results, one verifies that | N | = N + O N K −1+o(1) . For n ∈ N we write ϕ(n) = mM , where m is the contribution of primes q < K and M is the contribution of primes q ≥ K. We see that for any n ∈ N 2 m ≤ Lω(n)+1 ≤ Llog K = exp v (log K) = exp ∆ − ∆1/2 because of our choice of K and v. We also remark that M is squarefree. Therefore, λ(n) ≥ n ϕ(n) m m log log n N K −1 exp −∆ + ∆1/2 N exp (−∆) log log N M= for sufficiently large N . Taking into account that 3−1/3 > 0.69 we obtain the desired statement. 4. Period of the power generator Here we apply Theorem 5 to obtain a lower bound for the largest possible period of the power generator. Recall that P denotes the set of primes. 3 Theorem 6. For Q sufficiently large and for any ∆ ≥ 2 (log log Q) , the number of pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, with λ (λ(pl)) < Q2 exp (−∆) 1/3 . is at most Q2 exp −0.16 (∆ log ∆) Proof. Fix ∆ ≥ 2(log log Q)3 and put D = exp 0.16 (∆ log ∆)1/3 . The number W of pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, with gcd(p − 1, l − 1) ≥ D satisfies X π(Q; d, 1)2 . W ≤ d≥D PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1599 We use the estimate (3) for d < Q1/2 together with (2) and just π(Q; d, 1) ≤ Q/d for d ≥ Q1/2 , getting X Q2 X Q2 (log log D)2 Q2 + + Q3/2 . W 2 2 2 (log Q)2 d ϕ(d) D (log Q) Q1/2 ≥d≥D d≥Q1/2 Let R(n) be the number of solutions of the equation n = λ(pl) in pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, with gcd(p − 1, l − 1) < D. Obviously R(n) ≤ Dτ (n). Indeed, we have at most τ (n) possibilities for p−1 and at most D possibilities for gcd(p−1, l−1). These two choices determine l. Put N = Q2 . We say that n is exceptional if λ(n) ≤ N exp (−∆). Because we have ∆ ≥ (log log N )3 , Theorem 5 may be applied. Let E denote the set of exceptional n ≤ N . Applying Theorem 5 and the Cauchy inequality and (6) we obtain 1/2 !1/2 X X X R(n) ≤ | E|1/2 R(n)2 | E|1/2 D τ (n)2 n∈ E n∈ E 1/3 N D exp −0.34 (∆ log ∆) . n≤N Noting that the cardinality of the set Q of these pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, for which λ(pl) is exceptional is at most X R(n), | Q| ≤ W + n∈ E after simple calculations we derive the result. We now show using sieve methods that for a large number of pairs (p, l) ∈ P 2 we have λ (λ(pl)) pl. Specifically we prove the following result. Theorem 7. There exist positive constants c1 and c2 such that, for more than 4 c1 Q2 / (log Q) pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, we have λ (λ(pl)) > c2 Q2 . Proof. This proof contains a real parameter α > 0 which will eventually be fixed. Throughout we shall assume, as we may, that Q is chosen sufficiently large in terms of α. We shall require both upper and lower bound sieve results. The upper bound we require is as follows. Let β > 0 and define Y p. P = p<Qβ Let 1 ≤ k ≤ Q1−β be an integer satisfying gcd(k, P ) = 1. The number of primes p < Q satisfying gcd ((p − 1)/2, P ) = 1 and also p ≡ 1 (mod k) is majorized by the number of positive integers m ≤ Q, m ≡ 1 (mod k) for which gcd (m(m − 1)/2, P ) = 1. Bounding this latter set above by means of the (“twodimensional” upper bound) sieve (for example Theorem 5.1 of the standard refer 2 2 ence [14]), we see that this number is O Q/kβ (log Q) . Using the lower bound sieve (see for example Theorem 8.3 of [14]), and estimating the error term with the aid of the Bombieri–Vinogradov theorem, we may fix α > 0 2 sufficiently small that, in every interval (Q/2, Q) there are at least cQ/α (log Q) α primes p such that (p − 1)/2 is free of primes less than Q where the constant c > 0 1600 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI is absolute. We may assume, by discarding no more than Q1−α of our primes, that p − 1 is also squarefree. By possibly making α somewhat smaller (and using the above upper bound sieve to remove the primes and products of two primes) we can also demand that (p − 1)/2 is the product of three or more primes, the product of any two of which is thus no more than Q1−α . To remove the primes we merely take k = 1 and β = 1/2. To remove the products of two primes, we group in accordance with the smaller of the two, calling that one k, apply the upper bound, again with β = 1/2, and then sum over k. The result follows from (5) in view of the fact that as α decreases log(1/α) grows more slowly than 1/α. Consider now the integers pl in the interval Q2 /4, Q2 formed by pairing distinct primes p, l as above. There are at least c2 Q2 /3α2 (log Q)4 of them. By removing O Q2−α of these pairs, we may assume that p−1 l−1 , =1 gcd 2 2 for all pairs under consideration. Thus, for such a pair (p, l) we may write p−1l−1 = q1 · · · qr , 2 2 (8) where q1 , . . . , qr ∈ P are distinct and each satisfies Qα ≤ qj < Q1−2α , j = 1, . . . , r. In particular, r < 2/α. Moreover we have λ (λ(pl)) = λ (lcm (p − 1, l − 1)) = lcm (q1 − 1, . . . , qr − 1), and for all large Q this satisfies λ (λ(pl)) ≥ Q2 (q1 − 1) · · · (qr − 1) ≥ , 2 D(p; l)r /2 17D(p; l)r2 /2 where D(p; l) = max gcd(qi − 1, qj − 1). 1≤i<j≤r For given d, we next apply our upper bound sieve result to bound the number of pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, for which qi ≡ qj ≡ 1 (mod d) for some 1 ≤ i < j ≤ r, where q1 , . . . , qr are defined by (8). We choose β = α. To bound the number of occurrences with qi and qj both coming from the same member of the pair, we apply the bound once with k = qi qj < Q1−α . For the case where each of the two comes from a different member of the pair we apply the bound twice, once with k = qi and once with k = qj . The number of pairs in question for both cases is bounded by 2 Nd α4 (log Q) Q2 X 4 q∈ P, Qα ≤q<Q1−α q≡1 (mod d) 1 . q For d > log Q we use (4) and for smaller d we use (5). These give X log(1/α) log d 1 . q ϕ(d) α 1−α q∈ P, Q ≤q<Q q≡1 (mod d) PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1601 Thus the number of of pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, in our set which satisfy D(p; l) > D is bounded above by X log(1/α) log d 2 X Q2 Nd 4 ϕ(d) α4 (log Q) d>D d>D 2 Q2 2 (log(1/α)) (log D) . 4 α4 D (log Q) Provided D is chosen sufficiently large in terms of α, say D = α−3 , and α is sufficiently small, this latter set makes a small contribution compared to those for which D(p; l) ≤ D and the result follows. We remark that the constants c1 and c2 in Theorem 7 can be effectively evaluated. Now we study the period of the sequence (un ) given by (1) with m = pl when the primes p and l, the initial value ϑ, and the exponent e are all selected at random. 3 Theorem 8. For Q sufficiently large, for any ∆ ≥ 6 (log log Q) , and for all pairs 1/3 2 2 of them, the (p, l) ∈ P , 1 < p < l ≤ Q, except at most Q exp −0.1 (∆ log ∆) following statement holds. For all pairs (ϑ, e) with 1 ≤ ϑ ≤ m − 1, 1 ≤ e ≤ λ(m), gcd(ϑ, m) = gcd(e, λ(m)) = 1, where m = pl, except at most mλ(m) exp (−0.2∆) of them, the period t of the sequence (un ) given by (1) satisfies t ≥ Q2 exp (−∆) . Proof. First of all we recall that the above period t = ords e, where s = ordm ϑ. It follows from (6) that the number of pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, with τ ((p − 1)(l − 1)) > exp (∆/8) is at most X exp (−∆/8) τ 2 (k) Q2 exp (−∆/9) . k≤Q2 We will consider only pairs p, l where gcd(p − 1, l − 1) < D, where D is as in the proof of Theorem 6. So, as in that proof, for any number n, the number of pairs p, l with λ(λ(pl)) = n is at most Dτ (n). Thus, the number of pairs p, l with τ (λ(λ(pl))) > exp (∆/8) , is at most D X τ (n). n≤Q2 τ (n)>exp(∆/8) From the second part of (6) the number of n ≤ Q2 with B ≤ τ (n) < 2B is O Q2 (log Q)3 /B 2 , so the sum of these values of τ (n) is O Q2 (log Q)3 /B . Letting B run over powers of 2 starting just below exp (∆/8), we get that X τ (n) DQ2 (log Q)3 exp (−∆/8) Q2 exp (−∆/9) . D n≤Q2 τ (n)>exp(∆/8) 1602 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI Let R be the set of the pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, for which λ (λ(pl)) ≥ Q2 exp (−∆/3) and τ (λ(pl)) ≤ exp (∆/8) , τ (λ(λ(pl))) ≤ exp (∆/8) . It follows from the above estimates and from Theorem 6 that | R| ≥ Q2 − Q2 exp −0.1 (∆ log ∆)1/3 . Let us fix some pair (p, l) ∈ R and put m = pl. We apply Lemma 3 with K1 = K2 = exp(∆/3). It follows that, except for at most 2ϕ(m)ϕ(λ(m)) exp(−∆/5) ≤ mλ(m) exp(−∆/5) of them, the period t of the power generator is at least λ(λ(m)) exp(−2∆/3). But this bound is at least Q2 exp(−∆), so the result follows. A similar result also holds for p and l described in Theorem 7. It would be of great interest to be able to give a result of the strength of Theorem 8 but where now e is kept fixed while the other parameters p, l, ϑ vary. This seems a much harder question and is quite reminiscent of the Gauss–Artin problem on primitive roots. Using the same ideas as in Theorem 7, we are able to show that quite often the period is reasonably large. Because of its special interest we consider the case when e = 2, that is the Blum–Blum–Shub generator. Theorem 9. Given ε > 0, there exist positive constants c, γ such that for Q suffi4 ciently large, there are more than cQ2 / (log Q) pairs (p, l) ∈ P 2 , p < l ≤ Q, such that for all integers ϑ with 1≤ϑ≤m−1 and gcd(ϑ, m) = 1, where m = pl, except at most m1−γ of them, the period t of the sequence (un ) given by (1) with e = 2 satisfies t ≥ cQ1−ε . Proof. We select the pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, which gave us large values of λ(λ(pl)) as described in the proof of Theorem 7 and then eliminate those pairs for which ordq1 ...qr 2 is small. Here q1 , . . . , qr are given by (8) and also satisfy the condition that gcd(qi − 1, qj − 1) is bounded for all i 6= j. The number of primes q up to a bound B for which ordq 2 < q 1/2−ε/2 is at most B 1−ε , since these primes divide the product of 2j − 1 for j up to B 1/2−ε/2 and each factor 2j − 1 clearly has fewer than j prime factors. Thus, the number of primesp ≤ Q with p − 1 divisible by a prime q > Qα with ordq 2 < q 1/2−ε/2 is O Q1−αε . Hence, we may assume that the pairs p, l PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1/2−ε/2 produced in Theorem 7 all have, for each i, ordqi 2 ≥ qi 1603 . Then ordq1 ···qr 2 = lcm (ordq1 2, . . . , ordqr 2) ordq1 2 · · · · · ordqr 2 1/2−ε/2 ≥ (q1 · · · qr ) (pl)1/2−ε/2 Q1−ε . But, by Lemma 1 the number of choices of ϑ up to m that are coprime to m and with ordm ϑ < q1 · · · qr is O (m/Qα ). Hence, ordm ϑ is either q1 · · · qr or 2q1 · · · qr (since λ(m) = 2q1 · · · qr ) for all ϑ up to m and coprime to m, except at most O m1−α of them. For any choice of ϑ, the period t of the power generator with e = 2 is the order of 2 modulo the largest odd divisor of ordm ϑ. So, but for few exceptional choices of ϑ, this period is ordq1 ...qr 2 and, as we have already seen, ordq1 ...qr 2 Q1−ε . This completes the proof. 5. Remarks Our results cover the important special case where one wishes to show that the exceptional set has cardinality O N (log N )−A with an arbitrary A, which is more than sufficient to deal with integers of the form pl. Actually they go rather further than that. Moreover, one can take slightly smaller values of ∆ in both Theorems 5 and 6. On the other hand, some heuristic arguments show that there are at least N 1−o(1) integers m ≤ N with λ(m) ≤ mo(1) . So to get an exceptional set of size O N 1−ε one may have to allow very small values of λ. Rigorously, we can show that there are at least N 7/10 values of m ≤ N with λ(m) < m1/ log log m . This is done using a recent paper of Baker and Harman [2]. Here is a sketch of the proof: Let M denote the least common multiple of the integers up to log N/ log log N . Consider the primes p up to (log N )3.37 for which p − 1 divides M . From [2], there are more than (log N )3.37 /(log log N )O(1) such primes p. Consider now the squarefree integers m up to M composed solely of these primes p. A simple binomial coefficient calculation shows that there are more than N .703 such numbers m. But each such m has λ(m)|M , and note that M ≤ N O(1/ log log N ) . In addition, using some ideas in [1] one can force λ(m) to be even smaller and still have a power of N values of m. Namely, for each ε > 0 there is a number Nε such that if N ≥ Nε , the number of m ≤ N with λ(m) < exp (log log m)5/(2ε) exceeds N 5/12−ε . Here is a sketch of the proof: Let c = 5/12 − ε/2 and γ = 5/(2ε). γ / log y, y γ ]. Let y be large and let L be the product of the primes in the interval [y 2 1−c such that Let x = exp y . Using Theorem 3.1 in [1] there is an integer K < x #{d|L : d < xc , dK + 1 ∈ P} 1 #{d|L : d < xc }. log x A simple binomial coefficient calculation shows that there are at least xc(1−2/γ) such divisors d. Now, take these primes dK + 1 and form squarefree integers m. In fact, take them t at a time, where t = exp y 3/2 . These numbers m are all at most N := xt and each such λ(m) is a divisor of KL, and so is at most exp ((log log N )γ ). Again, a simple binomial coefficient calculation shows that there 1604 J. B. FRIEDLANDER, C. POMERANCE, AND I. E. SHPARLINSKI are at least N c(1−3/γ) such integers m. Since c(1 − 3/γ) > 5/12 − ε, the proof is complete. Given the results above for general integers m, it seems reasonable to expect that there are many pairs (p, l) ∈ P 2 , 1 < p < l ≤ Q, with quite small values of λ(λ(pl)). On the other hand, to prove that this is the case seems quite a difficult proposition. Indeed, it is not even known that there are infinitely many values of p − 1 which are very smooth and, for λ(λ(pl)) to be small, necessarily both p − 1 and l − 1 must be smooth. References [1] W. R. Alford, A. Granville and C. Pomerance, ‘There are infinitely many Carmichael numbers’, Annals Math. 140 (1994), 703–722. MR 95k:11114 [2] R. C. Baker and G. Harman, ‘Shifted primes without large prime factors’, Acta Arith. 83 (1998), 331–361. MR 99b:11104 [3] A. Balog, ‘The prime k-tuplets conjecture on average’, Analytic Number Theory, Progress in Mathematics 85, Birkhäuser, Boston, 1990, 47–75. MR 92e:11105 [4] L. Blum, M. Blum and M. Shub, ‘A simple unpredictable pseudorandom number generator’, SIAM J. Comp., 15 (1986), 364–383. MR 87k:65007 [5] J. J. Brennan and B. Geist, ‘Analysis of iterated modular exponentiation: The orbit of xα mod N ’, Designs, Codes and Cryptography, 13 (1998), 229–245. MR 99b:11086 [6] E. R. Canfield, P. Erdős and C. Pomerance,‘On a problem of Oppenheim concerning “Factorisatio Numerorum”’, J. Number Theory, 17 (1983), 1–28. MR 85j:11012 [7] T. W. Cusick, ‘Properties of the x2 mod N pseudorandom number generator’, IEEE Trans. Inform. Theory, 41 (1995), 1155–1159. MR 96k:65006 [8] T. W. Cusick, C. Ding and A. Renvall, Stream Ciphers and Number Theory, Elsevier, Amsterdam, 1998. MR 99h:94045 [9] P. Erdős, C. Pomerance and E. Schmutz, ‘Carmichael’s lambda function’, Acta Arith., 58 (1991), 363–385. MR 92g:11093 [10] R. Fischlin and C. P. Schnorr, ‘Stronger security proofs for RSA and Rabin bits’, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1233 (1997), 267–279. CMP 98:09 [11] J. B. Friedlander, D. Lieman and I. E. Shparlinski, ‘On the distribution of the RSA generator’, Proc. Intern. Conf. on Sequences and their Applications (SETA’98), Singapore, Springer-Verlag, London, 1999, 205–212. [12] J. B. Friedlander and I. E. Shparlinski, ‘On the distribution of the power generator’, Math. Comp., (to appear). [13] F. Griffin and I. E. Shparlinski, ‘On the linear complexity profile of the power generator’, Preprint, 1998, 1–11. [14] H. Halberstam and H.-E. Richert, Sieve methods, Academic Press, London 1974. MR 54:12689 [15] J. Håstad and M. Näslund, ‘The security of individual RSA bits’, Proc. 39th IEEE Symp. on Foundations of Comp. Sci., 1998, 510–519. [16] A. Hildebrand and G. Tenenbaum, ‘Integers without large prime factors’, J. de Théorie des Nombres de Bordeaux , 5 (1993), 411–484. MR 95d:11116 [17] J. C. Lagarias, ‘Pseudorandom number generators in cryptography and number theory’, Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, 42 (1990), 115–143. MR 92f:11109 [18] U. M. Maurer, ‘Fast generation of prime numbers and secure public-key cryptographic parameters’, J. Cryptology, 8 (1995), 123–155. MR 96i:94021 [19] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997. MR 99g:94015 [20] C. Pomerance, ‘On the distribution of amicable numbers’, J. Reine Angew. Math., 293/294 (1977), 217–222. MR 56:5402 [21] K. Prachar, Primzahlverteilung, Springer-Verlag, Berlin, 1957. MR 19:393b [22] R. L. Rivest, ‘Remarks on a proposed cryptanalytic attack on the M.I.T. public-key cryptosystem’, Cryptologia, 2 (1978), 62–65. PERIOD OF THE POWER GENERATOR AND CARMICHAEL’S FUNCTION 1605 [23] R. L. Rivest, A. Shamir and D. A. Wagner, ‘Time-lock puzzles and timed-release crypto’, Preprint, 1996, 1–9. [24] R. L. Rivest and R. D. Silverman, ‘Are “strong” primes needed for RSA?’, Preprint, 1999, 1–23. [25] I. E. Shparlinski, ‘On the linear complexity of the power generator’, Designs, Codes and Cryptography, (to appear). [26] D. R. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, FL, 1995. MR 96k:94015 Department of Mathematics, University of Toronto, Toronto, Ontario M5S 3G3, Canada E-mail address: [email protected] Department of Fundamental Mathematics, Bell Labs, Murray Hill, New Jersey 07974-0636 E-mail address: [email protected] Department of Computing, Macquarie University, Sydney, New South Wales 2109, Australia E-mail address: [email protected]